Plugin Title | Log Storage Encryption |
Cloud | AZURE |
Category | Storage Accounts |
Description | Ensures BYOK encryption is properly configured in the Activity Log Storage Account |
More Info | Storage accounts can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt the storage account, but the recommended approach is to create your own keys using Azure Key Vault. |
AZURE Link | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys |
Recommended Action | Ensure the Storage Account used by Activity Logs is configured with a BYOK key. |
- Log in to the Microsoft Azure Management Console.
- Select the "Search resources, services, and docs" option at the top and search for "Monitor".
- On the left navigation panel, click on "Diagnostics Settigns" under "Settings".
- On the "Diagnostics settings" page, select the resource from the list with value "Enabled" in the "Diagnostic status" column by clicking on its name.
- On the resource configuration page, copy the "Storage account" name for the "Activity Log".
- Now select the "Search resources, services, and docs" option at the top and search for "Storage accounts".
- Paste the "Storage account" name on the "Filter" option at the top, copied in Step 5 and select the corresponding "Storage account."
- Scroll down the "Storage account" navigation panel and select "Encryption" under "Security + networking."
- On the "Encryption page" scroll down and check the "Encryption type". If "Microsoft-managed keys" is selected, then "BYOK encryption" is not configured in the Activity log storage account.
- To enable "BYOK encryption" select "Encryption type" as "Customer-managed keys". In the "Encryption key" select option "Select from key vault".
- In the "Key Vault and key" click on the blue hughlighted text "Select a key vault and key".
- On the "Select a key" page, select "Key store type" as "Key vault". In the "Key vault" and "key" options select the key vault and key from the dropdown or you can create your own key vault and key. Click "Select" button at the end to save the selected options.
- Click on the "Save" button at the end to make the changes.
- Repeat step number 4 - 13 to ensure the Storage Account used by Activity Logs is configured with a BYOK key for all resources with Diagnostic Status "Enabled".